An error displays, similar to the following:
ERROR: VAS_ERR_KRB5: Failed to obtain credentials. Client: vas-user@ALTSUFFIX.VAS, Service: krbtgt/ALTSUFFIX.VAS@ALTSUFFIX.VAS, Server: (null) Caused by: KRB5_KDC_UNREACH (-1765328228): Cannot contact any KDC for requested realm Reason: unable to reach any KDC in realm ALTSUFFIX.VAS
You will get an error message that says, "Cannot contact any KDC for requested realm" because Safeguard Authentication Services cannot obtain a Kerberos ticket for the user principal name encoded on the smart card.
This will occur when Safeguard Authentication Services is unable to communicate with a domain controller. Run the vastool info servers command and try to ping your domain controllers to ensure that your network is properly configured and Safeguard Authentication Services has found a domain controller to use for communication with Active Directory.
If the problem persists, you may have a problem with your user principal name suffix. This occurs when the suffix of the user principal name on your smart card does not match the name of the Kerberos realm for your Active Directory domain. In other words, your Active Directory domain is COMPANY.COM, but the user principal on your smart card is vas-user@ALTSUFFIX.VAS. This means you are using an alternative user principal name suffix.
Configure vas.conf to use user principal name as the logon attribute. This can be done by any of the following methods:
Run the following command:
vastool configure vas vasd username-attr-name userPrincipalName
The following section describes symptoms and possible causes of log error messages when attempting to log in or perform other Safeguard Authentication Services for Smart Cards functions.
Log shows "clock skew problems"
Log shows "server policy does not allow them on" or "account is expired"
Log shows "Failed authentication attempt: cannot verify certificate"
You will get a log error message that says, "clock skew problems" when you encounter a login failure because your system clock was out of sync with Active Directory.
To synchronize your system clock with Active Directory
You will get log error messages that say, "server policy does not allow them on" or "account is expired" when a user's account has been restricted, locked out, or expired; or when a user, whose account is marked Smart card required for login, attempts to log in with a password.
Check the user's account settings in Active Directory. For more information, see Check login.
© ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center